How strong is your security culture? Is your organization’s approach to managing risk and protecting data compliance-centric or security-centric? Is the focus of your security culture to be compliant to some regulatory standards? It’s a known fact that complaint organizations may not necessarily be secure. In recent times, organizations that were declared “PCI-Compliant” have been victims of security breaches. Being compliant can give an organization a false sense of security and leave them exposed.
The concepts of Security and compliance ideally should be complimentary but often times we find them conflicting with each other.
The goal of compliance is to force organizations to put in place minimum security controls. It is supposed to be a baseline for security. Compliance requirements and activities are externally defined and does not often reflect an organization’s business needs and an ever changing security landscape. Organizations that are compliance-focused often do not have a maintenance culture to sustain what was built quickly to satisfy an external party.
On the other hand, good security strategy takes a holistic approach to protecting an organization’s assets. It is based on business needs and minimizing an organization’s risks. Good security is principled. It cares to measure the effectiveness of the controls that are implemented. It tries to understand what the business is trying to achieve, investigate solution options, selects the best and the most cost-effective solution for the organization and finds a way to measure if the solution works.
How can organizations get the most out of both worlds? Simply, it by making good security the goal. Good security will often facilitate compliance efforts. It is also true that most security programs will be enabled and fostered by compliance projects – but that should just be a starting point not an end. Security, when implemented correctly makes compliance easy as you only need to provide evidence that you have the controls in place. Meaning, good security leads to compliance but compliance is not equal to good security.
Finally, it is important to always remember that neither security nor compliance are destinations, they are a never ending journey as both must be sustained continuously. That is the key to success.